Bump actions/upload-artifact from 3 to 4

.github/FUNDING.yml

@@ -1,3 +1,4 @@
+github: Deuchnord
 liberapay: Deuchnord
 custom:
   - https://www.utip.io/deuchnord

.github/dependabot.yml

@@ -7,14 +7,10 @@ updates:
     target-branch: main
     schedule:
       interval: daily
-    reviewers:
-      - Deuchnord
 
   - package-ecosystem: github-actions
     directory: "/"
     open-pull-requests-limit: 5
     target-branch: main
     schedule:
       interval: weekly
-    reviewers:
-      - Deuchnord

.github/workflows/docker-unstable-tag.yml

@@ -10,19 +10,19 @@ jobs:
         runs-on: ubuntu-latest
         steps:
             - name: Setup QEMU
-              uses: docker/setup-qemu-action@v2
+              uses: docker/setup-qemu-action@v3
 
             - name: Set up Docker Buildx
-              uses: docker/setup-buildx-action@v2
+              uses: docker/setup-buildx-action@v3
 
             - name: Login to Docker Hub
-              uses: docker/login-action@v2
+              uses: docker/login-action@v3
               with:
                 username: ${{ secrets.DOCKERHUB_USERNAME }}
                 password: ${{ secrets.DOCKERHUB_TOKEN }}
 
             - name: Build and push
-              uses: docker/build-push-action@v3
+              uses: docker/build-push-action@v5
               with:
                 push: true
                 tags: deuchnord/f2ap:unstable

.github/workflows/linters.yml

@@ -0,0 +1,34 @@
+name: Code quality
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+    black:
+        name: Check code style
+        runs-on: ubuntu-latest
+
+        steps:
+            - uses: actions/checkout@v4
+            - uses: actions/setup-python@v4
+              with:
+                python-version: '3.x'
+            - uses: psf/[email protected]
+
+    pycln:
+        name: Check imports
+        runs-on: ubuntu-latest
+
+        steps:
+            - uses: actions/checkout@v4
+            - uses: actions/setup-python@v4
+              with:
+                python-version: '3.x'
+            - run: |
+                  pip install poetry
+                  poetry install
+            - run: |
+                  poetry run pycln --check f2ap tests

.github/workflows/release.yml

@@ -9,7 +9,7 @@ jobs:
         name: Build and release to PyPI
         runs-on: ubuntu-latest
         steps:
-            - uses: actions/checkout@v3
+            - uses: actions/checkout@v4
             - name: Set up Python
               uses: actions/setup-python@v4
               with:
@@ -41,19 +41,19 @@ jobs:
                 echo "patch=$(echo $TAG)" >> $GITHUB_OUTPUT
 
             - name: Setup QEMU
-              uses: docker/setup-qemu-action@v2
+              uses: docker/setup-qemu-action@v3
 
             - name: Set up Docker Buildx
-              uses: docker/setup-buildx-action@v2
+              uses: docker/setup-buildx-action@v3
 
             - name: Login to Docker Hub
-              uses: docker/login-action@v2
+              uses: docker/login-action@v3
               with:
                 username: ${{ secrets.DOCKERHUB_USERNAME }}
                 password: ${{ secrets.DOCKERHUB_TOKEN }}
 
             - name: Build and push
-              uses: docker/build-push-action@v3
+              uses: docker/build-push-action@v5
               with:
                 push: true
                 tags: |

.github/workflows/tests.yml

@@ -0,0 +1,74 @@
+name: Tests
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+    pytest:
+        name: Unit tests
+        runs-on: ${{ matrix.os }}
+
+        strategy:
+            fail-fast: false
+            matrix:
+                os:
+                    - ubuntu-latest
+                    - macos-latest
+                python_version:
+                    - '3.9'
+                    - '3.10'
+                    - '3.11'
+
+        steps:
+            - uses: actions/checkout@v4
+            - uses: actions/setup-python@v4
+              with:
+                python-version: '3.x'
+            - run: |
+                  pip install poetry
+                  poetry install
+            - run: |
+                  poetry run pytest --cov=f2ap tests/*.py
+
+            - name: Push code coverage
+              env:
+                GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+                COVERALLS_PARALLEL: true
+                COVERALLS_FLAG_NAME: "Py${{ matrix.python_version }}_${{ matrix.os }}"
+              run: |
+                python3 -m poetry run coveralls --service=github
+
+            # Upload generated artifacts only if tests don't pass, to help debugging.
+            - name: Upload artifacts
+              uses: actions/upload-artifact@v4
+              if: failure()
+              with:
+                  name: test-files
+                  path: tests/files/
+
+    coverage:
+        name: Push coverage report
+        needs: pytest
+        runs-on: ubuntu-latest
+
+        steps:
+            - uses: actions/checkout@v4
+
+            - name: Prepare Python
+              uses: actions/setup-python@v4
+              with:
+                python-version: "3.x"
+
+            - name: Install dependencies
+              run: |
+                pip install poetry
+                poetry install
+
+            - name: Upload coverage report
+              run: |
+                poetry run coveralls --finish --service=github
+              env:
+                GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.gitignore

@@ -1,3 +1,7 @@
 *.toml
 !*.dist.toml
 *.db
+*.bak
+
+!/tests/files/database/upgrade/database-v1.db
+.coverage

README.md

@@ -1,5 +1,7 @@
 # ![f2ap](logo.svg)
 
+[![Coverage Status](https://coveralls.io/repos/github/Deuchnord/f2ap/badge.svg?branch=main)](https://coveralls.io/github/Deuchnord/f2ap?branch=main)
+
 f2ap (_Feed to ActivityPub_) is a web application that uses the RSS/Atom feed of your website to expose it on the Fediverse
 through ActivityPub.
 
@@ -61,49 +63,7 @@ If you run f2ap with Docker, make sure to name it `config.toml` and to place it
 
 ### Configuring the server
 
-To provide a better integration to your website, you are encouraged to add some configuration lines to your server.
-This will ensure the social applications will correctly discover your website's ActivityPub API.
-
-#### Nginx
-
-Edit your configuration file and add the following lines to your `server` section.
-Don't forget to adapt:
-- the IP address on the `proxy_pass` lines to match f2ap's configuration;
-- the `<username>` part in the last `location` to match the username of your actor.
-
-```nginx
-server {
-    ## ...
-
-    # Propagate the domain name to f2ap
-    proxy_set_header Host $host;
-
-    # The webfinger allows the social applications to find out that your website serves an ActivityPub API.
-    location /.well-known/webfinger {
-        proxy_pass http://127.0.0.1:8000;
-    }
-
-    location / {
-        # Match any request asking for an ActivityPub content
-        if ( $http_accept ~ .*application/activity\+json.* ) {
-            proxy_pass http://127.0.0.1:8000;
-        }
-
-        # Match any request sending an ActivityPub content
-        if ( $http_content_type = "application/activity+json" ) {
-            proxy_pass http://127.0.0.1:8000;
-        }
-    }
-
-    # Exposes the avatar and the header of the profile
-    # Change the <username> here with the username of the actor you expose (for instance: blog)
-    location ~ /actors/<username>/(avatar|header) {
-        proxy_pass http://127.0.0.1:8000;
-    }
-
-    ## ... 
-}
-```
+See [the dedicated page](https://github.com/Deuchnord/f2ap/wiki/Web-Server-Configuration) on the wiki.
 
 ### Limitations
 

SECURITY.md

@@ -0,0 +1,32 @@
+# Security Policy
+
+## Supported versions
+
+f2ap versions follow the [semantic versioning](https://semver.org) standard.
+Since it is at an early stage of development, its stability is not guaranteed until it reaches the version 1.0.0.
+Until then, only the last version is supported for patches.
+
+## How to inform my website visitors about security of f2ap?
+
+If you use f2ap on your website, you can inform your visitors of the procedure to report any vulnerability by adding the following lines in your `/.well-known/security.txt` file:
+
+```
+# if you found a vulnerability on the ActivityPub implementation, please read the following document:
+Contact: https://github.com/Deuchnord/f2ap/blob/main/SECURITY.md
+```
+
+> `/.well-known/security.txt` is a plain text file proposed on [RFC 9116](https://www.rfc-editor.org/rfc/rfc9116) that explains people who find a vulnerability on your website how to report it.
+> If you don't have one yet, you should consider creating it with your own information.
+> There is [a generator here](https://securitytxt.org) if you need help.
+
+## Reporting a Vulnerability
+
+If you have found a vulnerability on a website that uses f2ap, check first if you can reproduce it in the last public version.
+If you can't, the website is most likely using an old version, so you should contact its administrator and tell them they should upgrade.
+
+If you could reproduce on the last version, please don't open an issue directly, and send me an email to [[email protected]](mailto:[email protected]?subject=Vulnerability%20in%20f2ap) with the subject: _"Vulnerability in f2ap"_, and describe the exact nature of the vulnerability.
+If you know how to fix the problem, you may attach your email with a Git patch to apply, so the security patch may be published more quickly.
+
+For more security, you are encouraged to encrypt your email with the PGP public key found [here](https://deuchnord.fr/pgp.txt).
+
+Thank you for your time!

config.dist.toml

@@ -17,8 +17,8 @@ update_freq = 5
 [actor]
 username = "blog"
 display_name = "The most perfect blog of the Web"
-avatar = "/path/to/avatar.png"
-header = "/path/to/header.jpg"
+avatar = "https://example.com/images/avatar.png"
+header = "https://example.com/images/header.jpg"
 summary = "Why make threads when you can have a blog? 👀"
 
 # A list of people you want the actor to follow, in `@[email protected]` format.
@@ -60,3 +60,7 @@ format = "[{title}]({url})\n{summary}\n{tags}"
 # Available formats: camelCase, CamelCase, snake_case
 # Default: camelCase
 tag_format = "camelCase"
+
+# A list of groups you want to send the message to, additionally to the followers.
+# This is required to get the messages discoverable by some social applications like Lemmy.
+groups = []